Policy List

Last updated for Chrome 65.0.3288.0.

Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of Google Chrome) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.

These policies are strictly intended to be used to configure instances of Google Chrome internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.

These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from https://www.chromium.org/administrators/policy-templates.

The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a Microsoft® Active Directory® domain.

Set the default state of the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will be enabled when the login screen is shown.

If this policy is set to false, the large cursor will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the large cursor. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the large cursor is disabled when the login screen is first shown. Users can enable or disable the large cursor anytime and its status on the login screen is persisted between users.

Set the default state of the spoken feedback accessibility feature on the login screen.

If this policy is set to true, spoken feedback will be enabled when the login screen is shown.

If this policy is set to false, spoken feedback will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling spoken feedback. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, spoken feedback is disabled when the login screen is first shown. Users can enable or disable spoken feedback anytime and its status on the login screen is persisted between users.

Set the default state of the high contrast mode accessibility feature on the login screen.

If this policy is set to true, high contrast mode will be enabled when the login screen is shown.

If this policy is set to false, high contrast mode will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling high contrast mode. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, high contrast mode is disabled when the login screen is first shown. Users can enable or disable high contrast mode anytime and its status on the login screen is persisted between users.

Set the default state of the on-screen keyboard accessibility feature on the login screen.

If this policy is set to true, the on-screen keyboard will be enabled when the login screen is shown.

If this policy is set to false, the on-screen keyboard will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the on-screen keyboard. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the on-screen keyboard is disabled when the login screen is first shown. Users can enable or disable the on-screen keyboard anytime and its status on the login screen is persisted between users.

Set the default type of screen magnifier that is enabled on the login screen.

If this policy is set, it controls the type of screen magnifier that is enabled when the login screen is shown. Setting the policy to "None" disables the screen magnifier.

If you set this policy, users can temporarily override it by enabling or disabling the screen magnifier. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the screen magnifier is disabled when the login screen is first shown. Users can enable or disable the screen magnifier anytime and its status on the login screen is persisted between users.

Disables Google Drive syncing in the Google Chrome OS Files app when using a cellular connection when set to True. In that case, data is only synced to Google Drive when connected via WiFi or Ethernet.

If not set or set to False, then users will be able to transfer files to Google Drive via cellular connections.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.

Configure remote access options

Configure remote access options in Chrome Remote Desktop host.
Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the Google Chrome browser.
These policies are ignored unless the
Chrome Remote Desktop host is installed.

Configures the required client domain names that will be imposed on remote access clients and prevents users from changing it.

If this setting is enabled, then only clients from one of the specified domains can connect to the host.

If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain to connect to the host; for anytime remote access, only the host owner can connect.

Restricts the UDP port range used by the remote access host in this machine.

If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy RemoteAccessHostFirewallTraversal is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.

RemoteAccessHostMatchUsername

Requires that the name of the local user and the remote access host owner match

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostMatchUsername

Mac/Linux preference name:

RemoteAccessHostMatchUsername

Supported on:

Google Chrome (Linux) since version 25

Google Chrome (Mac) since version 25

Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account). The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with. RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").

If this setting is disabled or not set, then the remote access host can be associated with any local user.

RemoteAccessHostTokenUrl

URL where remote access clients should obtain their authentication token

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostTokenUrl

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostTokenUrl

Mac/Linux preference name:

RemoteAccessHostTokenUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 28

Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.

If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.

Allows you to set whether websites are allowed to set local data. Setting local data can be either allowed for all websites or denied for all websites.

If this policy is set to 'Keep cookies for the duration of the session' then cookies will be cleared when the session closes. Note that if Google Chrome is running in 'background mode', the session may not close when the last window is closed. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

If this policy is left not set, 'AllowCookies' will be used and the user will be able to change it.

Allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites.

Click to play allows the Flash plugin to run but the user must click on the placeholder to start its execution.

Automatic playback is only allowed for domains explictly listed in the PluginsAllowedForUrls policy. If you want to enabled automatic playback for all sites consider adding http://* and https://* to this list.

If this policy is left not set, the user will be able to change this setting manually.

Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications.

If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.

Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.

If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.

1 = Allow sites to track the users' physical location

2 = Do not allow any site to track the users' physical location

3 = Ask whenever a site wants to track the users' physical location

Note for Google Chrome OS devices supporting Android apps:

If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.

If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.

2 = Do not allow any site to access the camera and microphone

3 = Ask every time a site wants to access the camera and/or microphone

Allows you to set whether websites are allowed to get access to nearby Bluetooth devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to nearby Bluetooth devices.

If this policy is left not set, '3' will be used, and the user will be able to change it.

2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API

3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

Allows you to specify a list of url patterns that specify sites for which Google Chrome should automatically select a client certificate, if the site requests a certificate.

The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select. Independent of the filter, only certificates will be selected that match the server's certificate request. If $FILTER has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.

If this policy is left not set, no auto-selection will be done for any site.

CookiesSessionOnlyForUrls

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls

Mac/Linux preference name:

CookiesSessionOnlyForUrls

Android restriction name:

CookiesSessionOnlyForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11

Google Chrome OS (Google Chrome OS) since version 11

Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to set session only cookies.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.

Note that if Google Chrome is running in 'background mode', the session may not be closed when the last browser window is closed, but will instead stay active until the browser exits. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.

Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: Yes

Description:

Allows you to register a list of protocol handlers. This can only be a recommended policy. The property |protocol| should be set to the scheme such as 'mailto' and the property |url| should be set to the URL pattern of the application that handles the scheme. The pattern can include a '%s', which if present will be replaced by the handled URL.

The protocol handlers registered by policy are merged with the ones registered by the user and both are available for use. The user can override the protocol handlers installed by policy by installing a new default handler, but cannot remove a protocol handler registered by policy.

Note for Google Chrome OS devices supporting Android apps:

The protocol handlers set via this policy are not used when handling Android intents.

Specifies the URL of the search engine used to provide search suggestions. The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

Specifies the URL of the search engine used to provide image search. Search requests will be sent using the GET method. If the DefaultSearchProviderImageURLPostParams policy is set then image search requests will use the POST method instead.

This policy is optional. If not set, no image search will be used.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Specifies the parameters used when searching a URL with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Specifies the parameters used when doing suggestion search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, suggest search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Specifies the parameters used when doing image search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in above example, it will be replaced with real image thumbnail data.

This policy is optional. If not set, image search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Extensions

Configures extension-related policies. The user is not allowed to install blacklisted extensions unless they are whitelisted. You can also force Google Chrome to automatically install extensions by specifying them in ExtensionInstallForcelist. Force-installed extensions are installed regardless whether they are present in the blacklist.

Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blacklisted, without a way for the user to enable them. Once an extension disabled due to the blacklist is removed from it, it will automatically get re-enabled.

A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist.

If this policy is left not set the user can install any extension in Google Chrome.

Specifies a list of apps and extensions that are installed silently,
without user interaction, and which cannot be uninstalled nor
disabled by the user. All permissions requested by the
apps/extensions are granted implicitly, without user interaction,
including any additional permissions requested by future versions of
the app/extension. Furthermore, permissions are granted for the
enterprise.deviceAttributes and enterprise.platformKeys extension
APIs. (These two APIs are not available to apps/extensions that are
not force-installed.)

This policy takes precedence over a potentially conflicting ExtensionInstallBlacklist policy. If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.

For Windows instances that are not joined to a Microsoft® Active Directory® domain, forced installation is limited to apps and extensions listed in the Chrome Web Store.

Note that the source code of any extension may be altered by users via Developer Tools (potentially rendering the extension dysfunctional). If this is a concern, the DeveloperToolsDisabled policy should be set.

Each list item of the policy is a string that contains an extension ID and an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL should point to an Update Manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.

Allows you to specify which URLs are allowed to install extensions, apps, and themes.

Starting in Google Chrome 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store. Previously, users could click on a link to a *.crx file, and Google Chrome would offer to install the file after a few warnings. After Google Chrome 21, such files must be downloaded and dragged onto the Google Chrome settings page. This setting allows specific URLs to have the old, easier installation flow.

Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.

ExtensionInstallBlacklist takes precedence over this policy. That is, an extension on the blacklist won't be installed, even if it happens from a site on this list.

Controls which app/extension types are allowed to be installed and limits runtime access.

This setting white-lists the allowed types of extension/apps that can be installed in Google Chrome and which hosts they can interact with. The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the Google Chrome extensions documentation for more information on these types.

Note that this policy also affects extensions and apps to be force-installed via ExtensionInstallForcelist.

If this setting is configured, extensions/apps which have a type that is not on the list will not be installed.

If this settings is left not-configured, no restrictions on the acceptable extension/app types are enforced.

ExtensionSettings

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionSettings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionSettings

Mac/Linux preference name:

ExtensionSettings

Supported on:

Google Chrome (Linux, Mac, Windows) since version 62

Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures extension management settings for Google Chrome.

This policy controls multiple settings, including settings controlled by any existing extension-related policies. This policy will override any legacy policies if both are set.

This policy maps an extension ID or an update URL to its configuration. With an extension ID, configuration will be applied to the specified extension only. A default configuration can be set for the special ID "*", which will apply to all extensions that don't have a custom configuration set in this policy. With an update URL, configuration will be applied to all extensions with the exact update URL stated in manifest of this extension, as described at https://developer.chrome.com/extensions/autoupdate.

For a full description of possible settings and structure of this policy please visit https://www.chromium.org/administrators/policy-list-3/extension-settings-full

If this policy is set to true or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

Home page

Configure the default home page in Google Chrome and prevents users from changing it.
The user's home page settings are only completely locked down, if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'.

Configures the default New Tab page URL and prevents users from changing it.

The New Tab page is the page opened when new tabs are created (including the one opened in new windows).

This policy does not decide which pages are to be opened on start up. Those are controlled by the RestoreOnStartup policies. Yet this policy does affect the Home Page if that is set to open the New Tab page, as well as the startup page if that is set to open the New Tab page.

If the policy is not set or left empty the default new tab page is used.

This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list.

If you leave this policy not set Google Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Google Chrome.

Specifies the account type of the accounts provided by the Android authentication app that supports HTTP Negotiate authentication (e.g. Kerberos authentication). This information should be available from the supplier of the authentication app. For more details see https://goo.gl/hajyfN.

If no setting is provided, HTTP Negotiate authentication is disabled on Android.

Specifies the length of time without user input after which the screen is locked when running on AC power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Specifies the length of time without user input after which the screen is locked when running on battery power.

When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.

When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When this policy is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

If this policy is set to True or is unset, the user is not considered to be idle while audio is playing. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off and screen lock will be performed after the configured timeouts, irrespective of audio activity.

If this policy is set to False, audio activity does not prevent the user from being considered idle.

If this policy is set to True or is unset, the user is not considered to be idle while video is playing. This prevents the idle delay, screen dim delay, screen off delay and screen lock delay from being reached and the corresponding actions from being taken.

If this policy is set to False, video activity does not prevent the user from being considered idle.

Note for Google Chrome OS devices supporting Android apps:

Video playing in Android apps is not taken into consideration, even if this policy is set to True.

PresentationScreenDimDelayScale

Percentage by which to scale the screen dim delay in presentation mode

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PresentationScreenDimDelayScale

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode. When the screen dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

If this policy is unset, a default scale factor is used.

The scale factor must be 100% or more. Values that would make the screen dim delay in presentation mode shorter than the regular screen dim delay are not allowed.

UserActivityScreenDimDelayScale

Percentage by which to scale the screen dim delay if the user becomes active after dimming

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserActivityScreenDimDelayScale

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off. When the dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

PowerManagementIdleSettings

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PowerManagementIdleSettings

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy controls multiple settings for the power management strategy when the user becomes idle.

There are four types of action:
* The screen will be dimmed if the user remains idle for the time specified by |ScreenDim|.
* The screen will be turned off if the user remains idle for the time specified by |ScreenOff|.
* A warning dialog will be shown if the user remains idle for the time specified by |IdleWarning|, telling the user that the idle action is about to be taken.
* The action specified by |IdleAction| will be taken if the user remains idle for the time specified by |Idle|.

For each of above actions, the delay should be specified in milliseconds, and needs to be set to a value greater than zero to trigger the corresponding action. In case the delay is set to zero, Google Chrome OS will not take the corresponding action.

For each of the above delays, when the length of time is unset, a default value will be used.

Note that |ScreenDim| values will be clamped to be less than or equal to |ScreenOff|, |ScreenOff| and |IdleWarning| will be clamped to be less than or equal to |Idle|.

|IdleAction| can be one of four possible actions:
* |Suspend|
* |Logout|
* |Shutdown|
* |DoNothing|

When the |IdleAction| is unset, the default action is taken, which is suspend.

ScreenLockDelays

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ScreenLockDelays

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the length of time without user input after which the screen is locked when running on AC power or battery.

When the length of time is set to a value greater than zero, it represents the length of time that the user must remain idle before Google Chrome OS locks the screen.

When the length of time is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When the length of time is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Proxy server

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to auto detect the proxy server, all other options are ignored.
For detailed examples, visit:
https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.
If you enable this setting, Google Chrome and ARC-apps ignore all proxy-related options specified from the command line.
Leaving these policies not set will allow the users to choose the proxy settings on their own.

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings, all other options are ignored.

If you choose to auto detect the proxy server, all other options are ignored.

If you choose fixed server proxy mode, you can specify further options in 'Address or URL of proxy server' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

If you choose to use a .pac proxy script, you must specify the URL to the script in 'URL to a proxy .pac file'.

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.

If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

A whitelist controlling which quick unlock modes the user can configure and use to unlock the lock screen.

This value is a list of strings; valid list entries are: "all", "PIN". Adding "all" to the list means that every quick unlock mode is available to the user, including ones implemented in the future. Otherwise, only the quick unlock modes present in the list will be available.

For example, to allow every quick unlock mode, use ["all"]. To allow only PIN unlock, use ["PIN"]. To disable all quick unlock modes, use [].

This setting controls how often the lock screen will request the password to be entered in order to continue using quick unlock. Each time the lock screen is entered, if the last password entry was more than this setting, the quick unlock will not be available on entering the lock screen. Should the user stay on the lock screen past this period of time, a password will be requested next time the user enters the wrong code, or re-enters the lock screen, whichever comes first.

If this setting is configured, users using quick unlock will be requested to enter their passwords on the lock screen depending on this setting.

If this setting is not configured, users using quick unlock will be requested to enter their password on the lock screen every day.

If the policy is set, the configured maximal PIN length is enforced. A value of 0 or less means no maximum length; in that case the user may set a PIN as long as they want. If this setting is less than PinUnlockMinimumLength but greater than 0, the maximum length is the same as the minimum length.

This policy specifies the allowed extensions to use the Enterprise Platform Keys API function chrome.enterprise.platformKeys.challengeUserKey() for remote attestation. Extensions must be added to this list to use the API.

If an extension is not in the list, or the list is not set, the call to the API will fail with an error code.

AttestationForContentProtectionEnabled

Enable the use of remote attestation for content protection for the device

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 31

Supported features:

Dynamic Policy Refresh: Yes

Description:

Chrome OS devices can use remote attestation (Verified Access) to get a certificate issued by the Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Chrome OS CA which uniquely identifies the device.

If this setting is false, the device will not use remote attestation for content protection and the device may be unable to play protected content.

If this setting is true, or if it is not set, remote attestation may be used for content protection.

If you choose 'Open New Tab Page' the New Tab Page will always be opened when you start Google Chrome.

If you choose 'Restore the last session', the URLs that were open last time Google Chrome was closed will be reopened and the browsing session will be restored as it was left.
Choosing this option disables some settings that rely on sessions or that perform actions on exit (such as Clear browsing data on exit or session-only cookies).

If you choose 'Open a list of URLs', the list of 'URLs to open on startup' will be opened when a user starts Google Chrome.

If you enable this setting, users cannot change or override it in Google Chrome.

Disabling this setting is equivalent to leaving it not configured. The user will still be able to change it in Google Chrome.

This policy is not available on Windows instances that are not joined
to a Microsoft® Active Directory® domain.

Enables deleting browser history and download history in Google Chrome and prevents users from changing this setting.

Note that even with this policy disabled, the browsing and download history are not guaranteed to be retained: users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.

If this setting is enabled or not set, browsing and download history can be deleted.

If this setting is disabled, browsing and download history cannot be deleted.

If this policy is set to False, users will not be able to play the dinosaur easter egg game when device is offline. If this setting is set to True, users are allowed to play the dinosaur game. If this policy is not set, users are not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but are allowed to play it under other circumstances.

Allows access to local files on the machine by allowing Google Chrome to display file selection dialogs.

If you enable this setting, users can open file selection dialogs as normal.

If you disable this setting, whenever the user performs an action which would provoke a file selection dialog (like importing bookmarks, uploading files, saving links, etc.) a message is displayed instead and the user is assumed to have clicked Cancel on the file selection dialog.

If this setting is not set, users can open file selection dialogs as normal.

This policy controls whether to allow the auto launched with zero delay kiosk app to control Google Chrome OS version by declaring a required_platform_version in its manifest and use it as the auto update target version prefix.

If the policy is set to true, the value of required_platform_version manifest key of the auto launched with zero delay kiosk app is used as auto update target version prefix.

If the policy is not configured or set to false, the required_platform_version manifest key is ignored and auto update proceeds as normal.

Warning: It is not recommended to delegate control of the Google Chrome OS version to a kiosk app as it may prevent the device from receiving software updates and critical security fixes. Delegating control of the Google Chrome OS version might leave users at risk.

Note for Google Chrome OS devices supporting Android apps:

If the kiosk app is an Android app, it will have no control over the Google Chrome OS version, even if this policy is set to True.

If this policy is set to false, users will not be able to lock the screen (only signing out from the user session will be possible). If this setting is set to true or not set, users who authenticated with a password can lock the screen.

If you define this setting, the user will only be able to access Google
Apps using accounts from the specified domains (note that this does not
work for gmail.com/googlemail.com).

This setting will NOT prevent the user from loging in on a managed device
that requires Google authentication. The user will still be allowed to
sign in to accounts from other domains, but they will receive an error
when trying to use G Suite with those accounts.

If you leave this setting empty/not-configured, the user will be able to
access G Suite with any account.

This policy causes the X-GoogApps-Allowed-Domains header to be appended to
all HTTP and HTTPS requests to all google.com domains, as described in
https://support.google.com/a/answer/1668854.

When this policy is set to true, ARC will be enabled for the user
(subject to additional policy settings checks - ARC will still be
unavailable if either ephemeral mode or multiple sign-in is enabled
in the current user session).

If this setting is disabled or not configured then enterprise users are
unable to use ARC.

When this policy is set to true, the Android Google Location Service is enabled. This will allow Android apps to use its data to find the device location, and also will enable submitting of anonymous location data to Google.

When this policy is set to false, Android Google Location Service will be switched off.

If this setting is configured then users are not able change it themselves.

If this setting is not configured then users are able to turn Google Location Service on and off in the Android Settings app.

Note that this policy value may be overridden by the DefaultGeolocationSetting policy, when the latter is set to BlockGeolocation.

This policy is applicable only to the users that are able to run Android apps.

If enabled or not configured (default), the user will be prompted for
audio capture access except for URLs configured in the
AudioCaptureAllowedUrls list which will be granted access without prompting.

When this policy is disabled, the user will never be prompted and audio
capture only be available to URLs configured in AudioCaptureAllowedUrls.

This policy affects all types of audio inputs and not only the built-in microphone.

Note for Google Chrome OS devices supporting Android apps:

For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.

When this policy is set to false, audio output will not be available on the device while the user is logged in.

This policy affects all types of audio output and not only the built-in speakers. Audio accessibility features are also inhibited by this policy. Do not enable this policy if a screen reader is required for the user.

If this setting is set to true or not configured then users can use all supported audio outputs on their device.

If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps and the current browsing session to remain active, including any session cookies. The background process displays an icon in the system tray and can always be closed from there.

If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings.

If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings.

If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.

Setting this policy to false stops Google Chrome from occasionally sending queries to a Google server to retrieve an accurate timestamp. These queries will be enabled if this policy is set to True or is not set.

This policy only takes effect if a proxy is configured (for example through policy, by the user in chrome://settings, or by extensions).

If you enable this setting, any captive portal authentication pages (i.e. all web pages starting from captive portal signin page until Google Chrome detects successful internet connection) will be displayed in a separate window ignoring all policy settings and restrictions for the current user.

If you disable this setting or leave it unset, any captive portal authentication pages will be shown in a (regular) new browser tab, using the current user's proxy settings.

This policy allows certificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used, but makes it harder to detect misissued certificates for those hosts.

A URL pattern is formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format. However, because certificates are valid for a given hostname independent of the scheme, port, or path, only the hostname portion of the URL is considered. Wildcard hosts are not supported.

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Control the user behavior in a multiprofile session on Google Chrome OS devices.

If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.

If you set this setting, users cannot change or override it.

If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.

If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.

"unrestricted" = Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)

If this policy is set to True and the ChromeOsReleaseChannel policy is not specified then users of the enrolling domain will be allowed to change the release channel of the device. If this policy is set to false the device will be locked in whatever channel it was last set.

The user selected channel will be overridden by the ChromeOsReleaseChannel policy, but if the policy channel is more stable than the one that was installed on the device, then the channel will only switch after the version of the more stable channel reaches a higher version number than the one installed on the device.

Enables Google Chrome to submit documents to Google Cloud Print for printing. NOTE: This only affects Google Cloud Print support in Google Chrome. It does not prevent users from submitting print jobs on web sites.

If this setting is enabled or not configured, users can print to Google Cloud Print from the Google Chrome print dialog.

If this setting is disabled, users cannot print to Google Cloud Print from the Google Chrome print dialog

Enables component updates for all components in Google Chrome when not set or set to True.

If set to False, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code, or does not significantly alter the behavior of the browser, or is critical for its security will not be disabled.
Examples of such components include the certificate revocation lists and safe browsing data.
See https://developers.google.com/safe-browsing for more info on SafeBrowsing.

This policy determines the rules for selecting the default printer in Google Chrome which happens the first time the print function is used with a profile.

When this policy is set, Google Chrome will attempt to find a printer matching all of the specified attributes, and select it as default printer. The first printer found matching the policy is selected, in case of non-unique match any matching printer can be selected, depending on the order printers are discovered.

If this policy is not set or matching printer is not found within the timeout, the printer defaults to built-in PDF printer or no printer selected, when PDF printer is not available.

Printers connected to Google Cloud Print are considered "cloud", the rest of the printers are classified as "local".
Omitting a field means all values match, for example, not specifying connectivity will cause Print Preview to initiate the discovery of all kinds of printers, local and cloud.
Regular expression patterns must follow the JavaScript RegExp syntax and matches are case sensistive.

If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.

Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.

Note for Google Chrome OS devices supporting Android apps:

This policy also controls access to Android Developer Options. If you set this policy to true, users cannot access Developer Options. If you set this policy to false or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

Controls whether Google Chrome OS allows new user accounts to be created. If this policy is set to false, users that do not have an account already will not be able to login.

If this policy is set to true or not configured, new user accounts will be allowed to be created provided that DeviceUserWhitelist does not prevent the user from logging in.

Note for Google Chrome OS devices supporting Android apps:

This policy controls whether new users can be added to Google Chrome OS. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

Specifies whether p2p is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False or not configured, p2p will not be used.

If this policy is set to True, Google Chrome OS will prevent the device from booting into developer mode. The system will refuse to boot and show an error screen when the developer switch is turned on.

If this policy is unset or set to False, developer mode will remain available for the device.

Note for Google Chrome OS devices supporting Android apps:

This policy controls Google Chrome OS developer mode only. If you want to prevent access to Android Developer Options, you need to set the DeveloperToolsDisabled policy.

Determines whether Google Chrome OS keeps local account data after logout. If set to true, no persistent accounts are kept by Google Chrome OS and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.

If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login, Google Chrome OS will honor the keyboard shortcut Ctrl+Alt+S for bypassing auto-login and showing the login screen.

If this policy is set to False, zero-delay auto-login (if configured) cannot be bypassed.

If the |DeviceLocalAccountAutoLoginId| policy is unset, this policy has no effect. Otherwise:

If this policy is set, it determines the amount of time without user activity that should elapse before automatically logging into the public session specified by the |DeviceLocalAccountAutoLoginId| policy.

If this policy is set, the specified session will be automatically logged in after a period of time has elapsed at the login screen without user interaction. The public session must already be configured (see |DeviceLocalAccounts|).

If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login and the device does not have access to the Internet, Google Chrome OS will show a network configuration prompt.

If this policy is set to False, an error message will be displayed instead of the network configuration prompt.

Specifies a list of apps that are installed silently on the login screen,
without user interaction, and which cannot be uninstalled.
All permissions requested by the apps are granted
implicitly, without user interaction, including any additional
permissions requested by future versions of the app.

Note that, for security and privacy reasons, extensions are not allowed to be installed using this policy. Moreover, the devices on the Stable channel will only install the apps that belong to the whitelist bundled into Google Chrome. Any items that don't conform to these conditions will be ignored.

If an app that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.

Each list item of the policy is a string that contains an extension ID and an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL should point to an Update Manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.

Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.

The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select. Independent of the filter, only certificates will be selected that match the server's certificate request. If $FILTER has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.

If this policy is left not set, no auto-selection will be done for any site.

DeviceLoginScreenDomainAutoComplete

Enable domain name autocomplete during user sign in

Data type:

String

Supported on:

Google Chrome OS (Google Chrome OS) since version 44

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to a blank string or not configured, Google Chrome OS will not show an autocomplete option during user sign-in flow.
If this policy is set to a string representing a domain name, Google Chrome OS will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension. The user will be able to overwrite this domain name extension.

Configures which keyboard layouts are allowed on the Google Chrome OS sign-in screen.

If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.

Configures the locale which is enforced on the Google Chrome OS sign-in screen.

If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility). If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session. If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).

DeviceLoginScreenPowerManagement

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenPowerManagement

Supported on:

Google Chrome OS (Google Chrome OS) since version 30

Supported features:

Dynamic Policy Refresh: Yes

Description:

Configure power management on the login screen in Google Chrome OS.

This policy lets you configure how Google Chrome OS behaves when there is no user activity for some amount of time while the login screen is being shown. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session. The only deviations from these policies are:
* The actions to take on idle or lid close cannot be to end the session.
* The default action taken on idle when running on AC power is to shut down.

Controls whether usage metrics and diagnostic data, including crash reports, are reported back to Google. If set to true, Google Chrome OS will report usage metrics and diagnostic data. If not configured or set to false, metrics and diagnostic data reporting will be disabled.

Note for Google Chrome OS devices supporting Android apps:

This policy also controls Android usage and diagnostic data collection.

DeviceNativePrinters

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceNativePrinters

Supported on:

Google Chrome OS (Google Chrome OS) since version 63

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Provides configurations for enterprise printers bound to devices.

This policy allows you to provide printer configurations to Google Chrome OS devices. The size of the file must not exceed 5MB and must be encoded in JSON. The format is the same as the NativePrinters dictionary. It is estimated that a file containing approximately 21,000 printers will encode as a 5MB file. The cryptographic hash is used to verify the integrity of the download.

The file is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download the file for printer configurations and make printers available in accordance with DeviceNativePrintersAccessMode, DeviceNativePrintersWhitelist, and DeviceNativePrintersBlacklist.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

This policy is additive to the NativePrintersBulkConfiguration.

If this policy is unset, there will be no device printers and the other DeviceNativePrinter* policies will be ignored.

Controls which printers from the DeviceNativePrinters are available to users.

Designates which access policy is used for bulk printer configuration. If AllowAll is selected, all printers are shown. If BlacklistRestriction is selected, DeviceNativePrintersBlacklist is used to restrict access to the specified printers. If WhitelistPrintersOnly is selected, DeviceNativePrintersWhitelist designates only those printers which are selectable.

DeviceOffHours

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceOffHours

Supported on:

Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes

Description:

If "OffHours" policy is set, then the specified device policies are ignored (use the default settings of these policies) during the defined time intervals. Device policies are re-applied by Chrome on every event when "OffHours" period starts or ends. User will be notified and forced to sign out when "OffHours" time end and device policy settings are changed (e.g. when user is logged in not with an allowed account).

Allows pushing network configuration to be applied for all users of a Google Chrome OS device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format described at https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/open-network-configuration

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Specifies the period in milliseconds at which the device management service is queried for device policy information.

Setting this policy overrides the default value of 3 hours. Valid values for this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day). Any values not in this range will be clamped to the respective boundary.

Leaving this policy not set will make Google Chrome OS use the default value of 3 hours.

Note that if the platform supports policy notifications, the refresh delay will be set to 24 hours (ignoring all defaults and the value of this policy) because it is expected that policy notifications will force a refresh automatically whenever policy changes, making more frequent refreshes unnecessary.

When this policy is set to false, the device will not attempt to
contact the Quirks Server to download configuration files.

If this policy is true or not configured then Google Chrome OS will automatically contact the Quirks Server and download configuration files, if available, and store them on the device. Such files might, for example, be used to improve display quality of attached monitors.

If this policy is set to false or not configured, Google Chrome OS will allow the user to shut down the device.
If this policy is set to true, Google Chrome OS will trigger a reboot when the user shuts down the device. Google Chrome OS replaces all occurrences of shutdown buttons in the UI by reboot buttons. If the user shuts down the device using the power button, it will not automatically reboot, even if the policy is enabled.

DeviceSecondFactorAuthentication

Integrated second factor authentication mode

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: No

Description:

Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.

If 'Disabled' is selected, no second factor is provided.

If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.

If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.

If this policy is set to true or not configured, Google Chrome OS will show existing users on the login screen and allow to pick one.

If this policy is set to false, Google Chrome OS will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstital screen (if enabled via the LoginAuthenticationBehavior policy) will be shown, unless a Public Session is configured. When a Public Session is configured, only the Public Session accounts will be shown, allowing to pick one of them.

Note that this policy does not affect whether the device keeps or discards the local user data.

Specifies the prefix of a target version Google Chrome OS should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, there is no effect (i.e. no downgrades are performed) and the device will remain on the current version. The prefix format works component-wise as is demonstrated in the following example:

"" (or not configured): update to latest version available.
"1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2)
"1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2)
"1412.24.34": update to this specific version only

Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.

DeviceTransferSAMLCookies

Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.

When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.

When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.

When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.

This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.

Note for Google Chrome OS devices supporting Android apps:

Cookies transferred to the user's profile are not accessible to Android apps.

The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive, which include WiMax, Bluetooth and Cellular at the moment.

If this policy is set to true, Google Chrome OS will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.

Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.

Defines the list of users that are allowed to login to the device. Entries are of the form user@domain, such as madmax@managedchrome.com. To allow arbitrary users on a domain, use entries of the form *@domain.

If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the DeviceAllowNewUsers policy to be configured appropriately.

Note for Google Chrome OS devices supporting Android apps:

This policy controls who may start a Google Chrome OS session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

DeviceWallpaperImage

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceWallpaperImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: Yes

Description:

Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the Chrome OS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

The policy should be speicified as a string that expresses the URL and hash in JSON format, e.g.,
{
"url": "https://example.com/device_wallpaper.jpg",
"hash": "examplewallpaperhash"
}

If the device wallpaper policy is set, the Chrome OS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.

If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.

Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API.

Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.

If HardwareAccelerationModeEnabled is set to false, Disable3DAPIs is ignored and it is equivalent to Disable3DAPIs being set to true.

The Safe Browsing service shows a warning page when users navigate to sites that are flagged as potentially malicious. Enabling this setting prevents users from proceeding anyway from the warning page to the malicious site.

If this setting is disabled or not configured then users can choose to proceed to the flagged site after being shown the warning.

See https://developers.google.com/safe-browsing for more info on SafeBrowsing.

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in 'about:plugins' and users cannot enable them.

Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions.

If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that user can enable or disable in Google Chrome.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

If you enable this setting, the specified list of plugins can be used in Google Chrome. Users can enable or disable them in 'about:plugins', even if the plugin also matches a pattern in DisabledPlugins. Users can also enable and disable plugins that don't match any patterns in DisabledPlugins, DisabledPluginsExceptions and EnabledPlugins.

This policy is meant to allow for strict plugin blacklisting where the 'DisabledPlugins' list contains wildcarded entries like disable all plugins '*' or disable all Java plugins '*Java*' but the administrator wishes to enable some particular version like 'IcedTea Java 2.3'. This particular versions can be specified in this policy.

Note that both the plugin name and the plugin's group name have to be exempted. Each plugin group is shown in a separate section in about:plugins; each section may have one or more plugins. For example, the "Shockwave Flash" plugin belongs to the "Adobe Flash Player" group, and both names have to have a match in the exceptions list if that plugin is to be exempted from the blacklist.

If this policy is left not set any plugin that matches the patterns in the 'DisabledPlugins' will be locked disabled and the user won't be able to enable them.

Configures the directory that Google Chrome will use for storing cached files on the disk.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because Google Chrome manages its contents.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.

Configures the cache size that Google Chrome will use for storing cached files on the disk.

If you set this policy, Google Chrome will use the provided cache size regardless whether the user has specified the '--disk-cache-size' flag or not. The value specified in this policy is not a hard boundary but rather a suggestion to the caching system, any value below a few megabytes is too small and will be rounded up to a sane minimum.

If the value of this policy is 0, the default cache size will be used but the user will not be able to change it.

If this policy is not set the default size will be used and the user will be able to override it with the --disk-cache-size flag.

If this policy is set, each display is rotated to the
specified orientation on every reboot, and the first time it is connected
after the policy value has changed. Users may change the display
rotation via the settings page after logging in, but their
setting will be overridden by the policy value at the next reboot.

This policy applies to both the primary and all secondary displays.

If the policy is not set, the default value is 0 degrees and the user is
free to change it. In this case, the default value is not reapplied at
restart.

Configures the type of downloads that Google Chrome will completely block, without letting users override the security decision.

If you set this policy, Google Chrome will prevent certain types of downloads, and won't let user bypass the security warnings.

When the 'Block dangerous downloads' option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings.

When the 'Block potentially dangerous downloads' option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads.

When the 'Block all downloads' option is chosen, all downloads are blocked.

When this policy is not set, (or the 'No special restrictions' option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results.

Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options.

See https://developers.google.com/safe-browsing for more info on SafeBrowsing.

Specifies the action that should be taken when the user's home directory was created with ecryptfs encryption and needs to transition to ext4 encryption.

If you set this policy to 'DisallowArc', Android apps will be disabled for the user and no migration from ecryptfs to ext4 encryption will be performed. Android apps will not be prevented from running when the home directory is already ext4-encrypted.

If you set this policy to 'Migrate', ecryptfs-encrypted home directories will be automatically migrated to ext4 encryption on sign-in without asking for user consent.

If you set this policy to 'Wipe', ecryptfs-encrypted home directories will be deleted on sign-in and new ext4-encrypted home directories will be created instead. Warning: This removes the user's local data.

If you set this policy to 'AskUser', users with ecryptfs-encrypted home directories will be offered to migrate.

This policy does not apply to kiosk users. If this policy is left not set, the device will behave as if 'DisallowArc' was chosen.

0 = Disallow data migration and ARC.

1 = Migrate automatically, don’t ask for user consent.

2 = Wipe the user’s ecryptfs home directory and start with a fresh ext4-encrypted home directory.

3 = Ask the user if they would like to migrate or skip migration and disallow ARC.

4 = Similar to Wipe (value 2), but tries to preserve login tokens so the user does not have to sign in again.

5 = If the client device model already supported ARC before migration to ext4 was necessary to run ARC and if the ArcEnabled policy is set to true, this option will behave as AskUser (value 3). In all other cases (if the device model did not support ARC before, or if ArcEnabled policy is set to false), this value is equivalent to DisallowArc (value 0).

When this setting is enabled, Google Chrome will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.

Note that this is not recommended, as this may allow bypassing the nameConstraints extension that restricts the hostnames that a given certificate can be authorized for.

If this policy is not set, or is set to false, server certificates that lack a subjectAlternativeName extension containing either a DNS name or IP address will not be trusted.

Specify a list of deprecated web platform features to re-enable temporarily.

This policy gives administrators the ability to re-enable deprecated web platform features for a limited time. Features are identified by a string tag and the features corresponding to the tags included in the list specified by this policy will get re-enabled.

If this policy is left not set, or the list is empty or does not match one of the supported string tags, all deprecated web platform features will remain disabled.

While the policy itself is supported on the above platforms, the feature it is enabling may be available on fewer platforms. Not all deprecated Web Platform features can be re-enabled. Only the ones explicitly listed below can be for a limited period of time, which is different per feature. The general format of the string tag will be [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd]. As reference, you can find the intent behind the Web Platform feature changes at https://bit.ly/blinkintents.

In light of the fact that soft-fail, online revocation checks provide no effective security benefit, they are disabled by default in Google Chrome version 19 and later. By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed.

If the policy is not set, or is set to false, then Google Chrome will not perform online revocation checks in Google Chrome 19 and later.

EnableSha1ForLocalAnchors

Whether SHA-1 signed certificates issued by local trust anchors are allowed

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnableSha1ForLocalAnchors

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableSha1ForLocalAnchors

Mac/Linux preference name:

EnableSha1ForLocalAnchors

Android restriction name:

EnableSha1ForLocalAnchors

Supported on:

Google Chrome (Linux, Mac, Windows) since version 54

Google Chrome OS (Google Chrome OS) since version 54

Google Chrome (Android) since version 54

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this setting is enabled, Google Chrome allows SHA-1 signed certificates as long as they successfully validate and chain to a locally-installed CA certificates.

Note that this policy depends on the operating system certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect. Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1. This policy will be removed on or around January 1st 2019.

If this policy is not set, or it is set to false, then Google Chrome follows the publicly announced SHA-1 deprecation schedule.

This policy is deprecated. Please use the DefaultPluginsSetting to control the avalability of the Flash plugin and AlwaysOpenPdfExternally to control whether the integrated PDF viewer should be used for opening PDF files.

Specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting.

The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them.

The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them.

Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions.

If this policy is left not set the user can disable any plugin installed on the system.

ExtensionCacheSize

Set Apps and Extensions cache size (in bytes)

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: No

Description:

Google Chrome OS caches Apps and Extensions for installation by multiple users of a single device to avoid re-downloading them for each user.
If this policy is not configured or the value is lower than 1 MB, Google Chrome OS will use the default cache size.

Note for Google Chrome OS devices supporting Android apps:

The cache is not used for Android apps. If multiple users install the same Android app, it will be downloaded anew for each user.

When this policy is set to true, external storage will not be available in the file browser.

This policy affects all types of storage media. For example: USB flash drives, external hard drives, SD and other memory cards, optical storage etc. Internal storage is not affected, therefore files saved in the Download folder can still be accessed. Google Drive is also not affected by this policy.

If this setting is disabled or not configured then users can use all supported types of external storage on their device.

When this policy is set to true, users cannot write anything to external storage devices.

If this setting is set to false or not configured, then users can create and modify files of external storage devices which are physically writable.

The ExternalStorageDisabled policy takes precedence over this policy - if ExternalStorageDisabled is set to true, then all access to external storage is disabled and this policy is consequently ignored.

If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.

In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.

If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.

If the policy is set to disabled or left not set signing in leads to regular profiles.

If this policy is set to true, Google Chrome will unconditionally maximize the first window shown on first run.
If this policy is set to false or not configured, the decision whether to maximize the first window shown will be based on the screen size.

This policy is deprecated, please use ForceGoogleSafeSearch and ForceYouTubeRestrict instead. This policy is ignored if either the ForceGoogleSafeSearch, the ForceYouTubeRestrict or the (deprecated) ForceYouTubeSafetyMode policies are set.

Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.

If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.

If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.

NOTE: This policy is experimental and may break functionality!
If the policy is enabled, each of the named origins in a
comma-separated list will run in its own process. This will also isolate
origins named by subdomains; e.g. specifying https://example.com/ will
also cause https://foo.example.com/ to be isolated as part of the
https://example.com/ site.
If the policy is disabled, the pre-Site Isolation process management logic will take effect.
If the policy is not configured, the user will be able to change this setting.

KeyPermissions

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\KeyPermissions

Supported on:

Google Chrome OS (Google Chrome OS) since version 45

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Grants access to corporate keys to extensions.

Keys are designated for corporate usage if they're generated using the chrome.enterprise.platformKeys API on a managed account. Keys imported or generated in another way are not designated for corporate usage.

Access to keys designated for corporate usage is solely controlled by this policy. The user can neither grant nor withdraw access to corporate keys to or from extensions.

By default an extension cannot use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to false for that extension.

Only if allowCorporateKeyUsage is set to true for an extension, it can use any platform key marked for corporate usage to sign arbitrary data. This permission should only be granted if the extension is trusted to secure access to the key against attackers.

Note for Google Chrome OS devices supporting Android apps:

Android apps cannot get access to corporate keys. This policy has no effect on them.

LoginAuthenticationBehavior

When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:

If set to GAIA, login will be done via the normal GAIA authentication flow.

If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.

LoginVideoCaptureAllowedUrls

URLs that will be granted access to video capture devices on SAML login pages

Data type:

List of strings

Supported on:

Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: Yes

Description:

Patterns in this list will be matched against the security
origin of the requesting URL. If a match is found, access to video
capture devices will be granted on SAML login pages. If no match is
found, access will be automatically denied. Wildcard patterns are not
allowed.

ManagedBookmarks

Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ManagedBookmarks

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ManagedBookmarks

Mac/Linux preference name:

ManagedBookmarks

Android restriction name:

ManagedBookmarks

Supported on:

Google Chrome (Android) since version 30

Google Chrome (Linux, Mac, Windows) since version 37

Google Chrome OS (Google Chrome OS) since version 37

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures a list of managed bookmarks.

The policy consists of a list of bookmarks whereas each bookmark is a dictionary containing the keys "name" and "url" which hold the bookmark's name and its target. A subfolder may be configured by defining a bookmark without an "url" key but with an additional "children" key which itself contains a list of bookmarks as defined above (some of which may be folders again). Google Chrome amends incomplete URLs as if they were submitted via the Omnibox, for example "google.com" becomes "https://google.com/".

These bookmarks are placed in a folder that can't be modified by the user (but the user can choose to hide it from the bookmark bar). By default the folder name is "Managed bookmarks" but it can be customized by adding to the list of bookmarks a dictionary containing the key "toplevel_name" with the desired folder name as the value.

Managed bookmarks are not synced to the user account and can't be modified by extensions.

Specifies the maximal number of simultaneous connections to the proxy server.

Some proxy servers can not handle high number of concurrent connections per client and this can be solved by setting this policy to a lower value.

The value of this policy should be lower than 100 and higher than 6 and the default value is 32.

Some web apps are known to consume many connections with hanging GETs, so lowering below 32 may lead to browser networking hangs if too many such web apps are open. Lower below the default at your own risk.

If this policy is left not set the default value will be used which is 32.

Specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service.

Setting this policy overrides the default value of 5000 milliseconds. Valid values for this policy are in the range from 1000 (1 second) to 300000 (5 minutes). Any values not in this range will be clamped to the respective boundary.

Leaving this policy not set will make Google Chrome use the default value of 5000 milliseconds.

Configures the cache size that Google Chrome will use for storing cached media files on the disk.

If you set this policy, Google Chrome will use the provided cache size regardless whether the user has specified the '--media-cache-size' flag or not. The value specified in this policy is not a hard boundary but rather a suggestion to the caching system, any value below a few megabytes is too small and will be rounded up to a sane minimum.

If the value of this policy is 0, the default cache size will be used but the user will not be able to change it.

If this policy is not set the default size will be used and the user will be able to override it with the --media-cache-size flag.

Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting.

If this setting is enabled, anonymous reporting of usage and crash-related
data is sent to Google. If it is disabled, this information is not sent
to Google. In both cases, users cannot change or override the setting.
If this policy is left not set, the setting will be what the user chose
upon installation / first run.

This policy is not available on Windows instances that are not joined to
a Microsoft® Active Directory® domain. (For Chrome OS, see
DeviceMetricsReportingEnabled.)

Configures the requirement of the minimum allowed version of Google Chrome. Versions below given are treated as obsolete and device would not allow user sign in before OS is updated.
If current version becomes obsolete during user session, user will be forcefully signed out.

If this policy is not set, no restrictions are applied, and user can sign regardless of Google Chrome version.

Here "Version" can be either an exact version like '61.0.3163.120' or a version prefix, like '61.0'

This policy allows administrators to provide printer configurations for
their users.

display_name and description are free form strings that can be customized for ease of printer selection. manufacturer and model serve to ease printer identification by end users. They represent the manufacturer and model of the printer. uri should be an address reachable from a client computer including the scheme, port, and queue. uuid is optional. If provided, it is used to help deduplicate zeroconf printers.

effective_model must match one of the strings which represent a Google Chrome OS supported printer. The string will be used to identify and install the appropriate PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.

Printer setup is completed upon the first use of a printer. PPDs are not
downloaded until the printer is used. After that time, frequently used
PPDs are cached.

This policy has no effect on whether users can configure printers on
individual devices. It is intended to be supplementary to the
configuration of printers by individual users.

Controls which printers from the NativePrintersBulkConfiguration are available to users.

Designates which access policy is used for bulk printer configuration. If AllowAll is selected, all printers are shown. If BlacklistRestriction is selected, NativePrintersBulkBlacklist is used to restrict access to the specified printers. If WhitelistPrintersOnly is selected, NativePrintersBulkWhitelist designates only those printers which are selectable.

NativePrintersBulkConfiguration

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrintersBulkConfiguration

Supported on:

Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Provides configurations for enterprise printers.

This policy allows you to provide printer configurations to Google Chrome OS devices. The size of the file must not exceed 5MB and must be encoded in JSON. The format is the same as the NativePrinters dictionary. It is estimated that a file containing approximately 21,000 printers will encode as a 5MB file. The cryptographic hash is used to verify the integrity of the download.

The file is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download the file for printer configurations and make printers available in accordance with NativePrintersBulkAccessMode, NativePrintersBulkWhitelist, and NativePrintersBulkBlacklist.

If you set this policy, users cannot change or override it.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

This policy is only used if WhitelistPrintersOnly is chosen for NativePrintersBulkAccessMode.

If this policy is used, only the printers with ids matching the values in this policy are available to the user. The ids must correspond to the entries in the file specified in NativePrintersBulkConfiguration.

Enables network prediction in Google Chrome and prevents users from changing this setting.

This controls DNS prefetching, TCP and SSL preconnection and prerendering of web pages.

If you set this preference to 'always', 'never', or 'WiFi only', users cannot change or override this setting in Google Chrome.

If this policy is left not set, network prediction will be enabled but the user will be able to change it.

0 = Predict network actions on any network connection

1 = Predict network actions on any network that is not cellular.
(Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)

Specifies list of apps that can be enabled as a note-taking app on the Google Chrome OS lock screen.

If the preferred note-taking app is enabled on the lock screen, the lock screen will contain UI element for launching the preferred note taking app.
When launched, the app will be able to create an app window on top of the lock screen, and create data items (notes) in the lock screen context. The app will be able to import created notes to the primary user session, when the session is unlocked. Currently, only Chrome note-taking apps are supported on the lock screen.

If the policy is set, the user will be allowed to enable an app on the lock screen only if the app's extension ID is contained in the policy list value.
As a consequence, setting this policy to an empty list will disable note-taking on the lock screen entirely.
Note that the policy containing an app ID does not necessarily mean that the user will be able to enable the app as a note-taking app on the lock screen - for example, on Chrome 61, the set of available apps is additionally restricted by the platform.

If the policy is left unset, there will be no restrictions on the set of apps the user can enable on the lock screen imposed by the policy.

Allows pushing network configuration to be applied per-user to a Google Chrome OS device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format described at https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/open-network-configuration

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Strips privacy and security sensitive parts of https:// URLs before passing them on to PAC scripts (Proxy Auto Config) used by Google Chrome during proxy resolution.

When True, the security feature is enabled, and https:// URLs are
stripped before submitting them to a PAC script. In this manner the PAC
script is not able to view data that is ordinarily protected by an
encrypted channel (such as the URL's path and query).

When False, the security feature is disabled, and PAC scripts are
implicitly granted the ability to view all components of an https://
URL. This applies to all PAC scripts regardless of origin (including
those fetched over an insecure transport, or discovered insecurely
through WPAD).

This defaults to True (security feature enabled), except for Chrome OS
enterprise users for which this currently defaults to False.

It is recommended that this be set to True. The only reason to set it to
False is if it causes a compatibility problem with existing PAC scripts.

Specifies the period in milliseconds at which the device management service is queried for user policy information.

Setting this policy overrides the default value of 3 hours. Valid values for this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day). Any values not in this range will be clamped to the respective boundary. If the platform supports policy notifications, the refresh delay will be set to 24 hours because it is expected that policy notifications will force a refresh automatically whenever policy changes.

Leaving this policy not set will make Google Chrome use the default value of 3 hours.

Note that if the platform supports policy notifications, the refresh delay will be set to 24 hours (ignoring all defaults and the value of this policy) because it is expected that policy notifications will force a refresh automatically whenever policy changes, making more frequent refreshes unnecessary.

Enables printing in Google Chrome and prevents users from changing this setting.

If this setting is enabled or not configured, users can print.

If this setting is disabled, users cannot print from Google Chrome. Printing is disabled in the wrench menu, extensions, JavaScript applications, etc. It is still possible to print from plugins that bypass Google Chrome while printing. For example, certain Flash applications have the print option in their context menu, which is not covered by this policy.

If the policy is enabled, the user will be asked where to save each file before downloading.
If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file.
If the policy is not configured, the user will be able to change this setting.

Schedule an automatic reboot after a Google Chrome OS update has been applied.

When this policy is set to true, an automatic reboot is scheduled when a Google Chrome OS update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.

When this policy is set to false, no automatic reboot is scheduled after applying a Google Chrome OS update. The update process is completed when the user next reboots the device.

If you set this policy, users cannot change or override it.

Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.

ReportDeviceActivityTimes

Report device activity times

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 18

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report device activity times.

If this setting is not set or set to True, enrolled devices will report time periods when a user is active on the device. If this setting is set to False, device activity times will not be recorded or reported.

Configures the directory that Google Chrome will use for storing the roaming copy of the profiles.

If you set this policy, Google Chrome will use the provided directory to store the roaming copy of the profiles if the Google Chrome policy has been enabled. If the Google Chrome policy is disabled or left unset the value stored in this policy is not used.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default roaming profile path will be used.

If you enable this setting, the settings stored in Google Chrome profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the Google Chrome policy. Enabling this policy disables cloud sync.

If this policy is disabled or left not set only the regular local profiles will be used.

If you enable this setting, all Flash content embedded on websites that have been set to allow Flash in content settings -- either by the user or by enterprise policy -- will be run, including content from other origins or small content.

To control which websites are allowed to run Flash, see the "DefaultPluginsSetting", "PluginsAllowedForUrls", and "PluginsBlockedForUrls" policies.

If this setting is disabled or not set, Flash content from other origins or small content might be blocked.

SAMLOfflineSigninTimeLimit

Limit the time for which a user authenticated via SAML can log in offline

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SAMLOfflineSigninTimeLimit

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.

Leaving this policy not set will make Google Chrome OS use a default time limit of 14 days after which the user must use online authentication again.

Chrome shows a warning page when users navigate to sites that have SSL errors. By default or when this policy is set to true, users are allowed to click through these warning pages.
Setting this policy to false disallows users to click through any warning page.

Warning: The max TLS version policy will be entirely removed from Google Chrome around version 66 (around February 2018).

If this policy is not configured then Google Chrome uses the default maximum version.

Otherwise it may be set to one of the following values: "tls1.2" or "tls1.3". When set, Google Chrome will not use SSL/TLS versions greater than the specified version. An unrecognized value will be ignored.

Setting this policy to false stops users from choosing to send some system information and page content to Google servers. If this setting is true or not configured, then users will be allowed to send some system information and page content to Safe Browsing to help detect dangerous apps and sites.

See https://developers.google.com/safe-browsing for more info on SafeBrowsing.

Identify if Google Chrome can allow download without Safe Browsing checks when it's from a trusted source.

When False, downloaded files will not be sent to be analyzed by Safe Browsing when it's from a trusted source.

When not set (or set to True), downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.

Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options.

This policy is not available on Windows instances that are not joined
to a Microsoft® Active Directory® domain.

Specifies URLs and domains for which no prompt will be shown when attestation certificates from Security Keys are requested. Additionally, a signal will be sent to the Security Key indicating that individual attestation may be used. Without this, users will be prompted in Chrome 65+ when sites request attestation of Security Keys.

URLs (like https://example.com/some/path) will only match as U2F appIDs. Domains (like example.com) only match as webauthn RP IDs. Thus, to cover both U2F and webauthn APIs for a given site, both the appID URL and domain would need to be listed.

When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.

When this policy is not set, the session length is not limited.

If you set this policy, users cannot change or override it.

The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.

Sets one or more recommended locales for a public session, allowing users to easily choose one of these locales.

The user can choose a locale and a keyboard layout before starting a public session. By default, all locales supported by Google Chrome OS are listed in alphabetic order. You can use this policy to move a set of recommended locales to the top of the list.

If this policy is not set, the current UI locale will be pre-selected.

If this policy is set, the recommended locales will be moved to the top of the list and will be visually separated from all other locales. The recommended locales will be listed in the order in which they appear in the policy. The first recommended locale will be pre-selected.

If there is more than one recommended locale, it is assumed that users will want to select among these locales. Locale and keyboard layout selection will be prominently offered when starting a public session. Otherwise, it is assumed that most users will want to use the pre-selected locale. Locale and keyboard layout selection will be less prominently offered when starting a public session.

When this policy is set and automatic login is enabled (see the |DeviceLocalAccountAutoLoginId| and |DeviceLocalAccountAutoLoginDelay| policies), the automatically started public session will use the first recommended locale and the most popular keyboard layout matching this locale.

The pre-selected keyboard layout will always be the most popular layout matching the pre-selected locale.

This policy can only be set as recommended. You can use this policy to move a set of recommended locales to the top but users are always allowed to choose any locale supported by Google Chrome OS for their session.

If you set this policy, you can configure whether a user is allowed to sign in to Google Chrome. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.

NOTE: This policy is experimental and may break functionality!
You might want to look at the IsolateOrigins policy setting to get the
best of both worlds, isolation and limited impact for users, by using
IsolateOrigins with a list of the sites you want to isolate. This setting,
SitePerProcess, isolates all sites.
If the policy is enabled, each site will run in its own process.
If the policy is disabled, the pre-Site Isolation process management logic will take effect.
If the policy is not configured, the user will be able to change this setting.

If you enable this setting, users cannot change or override this setting in Google Chrome.

If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.

To fully disable Google Sync, it is recommended that you disable the Google Sync service in the Google Admin console.

This policy should not be enabled when RoamingProfileSupportEnabled policy is set to enabled as that feature shares the same client side functionality. The Google-hosted synchronization is disabled in this case completely.

Note for Google Chrome OS devices supporting Android apps:

Disabling Google Sync will cause Android Backup and Restore to not function properly.

Specifies the timezone to be used for the device. Users can override the specified timezone for the current session. However, on logout it is set back to the specified timezone. If an invalid value is provided, the policy is still activated using "GMT" instead. If an empty string is provided, the policy is ignored.

If this policy is not used, the currently active timezone will remain in use however users can change the timezone and the change is persistent. Thus a change by one user affects the login-screen and all other users.

New devices start out with the timezone set to "US/Pacific".

The format of the value follows the names of timezones in the "IANA Time Zone Database" (see "https://en.wikipedia.org/wiki/Tz_database"). In particular, most timezones can be referred to by "continent/large_city" or "ocean/large_city".

When this policy is set, automatic timezone detection flow will be in one of the following ways depending on the value of the setting:

If set to TimezoneAutomaticDetectionUsersDecide, users would be able to control automatic timezone detection using normal controls in chrome://settings.

If set to TimezoneAutomaticDetectionDisabled, automatic timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always off.

If set to TimezoneAutomaticDetectionIPOnly, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. Timezone detection will use IP-only method to resolve location.

If set to TimezoneAutomaticDetectionSendWiFiAccessPoints, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. The list of visible WiFi access-points will be always sent to Geolocation API server for fine-grained timezone detection.

If set to TimezoneAutomaticDetectionSendAllLocationInfo, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. Location information (such as WiFi access-points, reachable Cell Towers, GPS) will be sent to a server for fine-grained timezone detection.

If this policy is not set, it will behave as if TimezoneAutomaticDetectionUsersDecide is set.

If SystemTimezone policy is set, it overrides this policy. In this case automatic timezone detection is completely disabled.

0 = Let users decide

1 = Never auto-detect timezone

2 = Always use coarse timezone detection

3 = Always send WiFi access-points to server while resolving timezone

4 = Always send any available location signals to the server while resolving timezone

Sets the Terms of Service that the user must accept before starting a device-local account session.

If this policy is set, Google Chrome OS will download the Terms of Service and present them to the user whenever a device-local account session is starting. The user will only be allowed into the session after accepting the Terms of Service.

If this policy is not set, no Terms of Service are shown.

The policy should be set to a URL from which Google Chrome OS can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.

This policy configures enabling the virtual keyboard as an input device on ChromeOS. Users cannot override this policy.

If the policy is set to true, the on-screen virtual keyboard will always be enabled.

If set to false, the on-screen virtual keyboard will always be disabled.

If you set this policy, users cannot change or override it. However, users will still be able to enable/disable an accessibility on-screen keyboard which takes precedence over the virtual keyboard controlled by this policy. See the |VirtualKeyboardEnabled| policy for controlling the accessibility on-screen keyboard.

If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime. Heuristic rules may also be used to decide when to display the keyboard.

If you enable this setting, Google Chrome will offer translation functionality to the user by showing an integrated translate toolbar (when appropriate) and a translate option on the right-click context menu.

If you disable this setting, all built-in translate features will be disabled.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

If this setting is left not set the user can decide to use this function or not.

URLWhitelist

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\URLWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\URLWhitelist

Mac/Linux preference name:

URLWhitelist

Android restriction name:

URLWhitelist

Android WebView restriction name:

com.android.browser:URLWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Google Chrome OS (Google Chrome OS) since version 15

Google Chrome (Android) since version 30

Android System WebView (Android) since version 47

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows access to the listed URLs, as exceptions to the URL blacklist.

See the description of the URL blacklist policy for the format of entries of this list.

This policy can be used to open exceptions to restrictive blacklists. For example, '*' can be blacklisted to block all requests, and this policy can be used to allow access to a limited list of URLs. It can be used to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths.

The most specific filter will determine if a URL is blocked or allowed. The whitelist takes precedence over the blacklist.

This policy is limited to 1000 entries; subsequent entries will be ignored.

If this policy is not set there will be no exceptions to the blacklist from the 'URLBlacklist' policy.

Note for Google Chrome OS devices supporting Android apps:

Android apps may voluntarily choose to honor this list. You cannot force them to honor it.

If this policy is set to true, Unified Desktop is allowed and
enabled by default, which allows applications to span multiple displays.
The user may disable Unified Desktop for individual displays by unchecking
it in the display settings.

If this policy is set to false or unset, Unified Desktop will be
disabled. In this case, the user cannot enable the feature.

The policy specifies a list of origins (URLs) to be treated as secure
context. The intent is to allow organizations to set up a staging server
for internal web developments.
This is the same as the --unsafely-treat-insecure-origin-as-secure flag.
For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/

When this policy is set, it specifies the length of device uptime after which an automatic reboot is scheduled.

When this policy is not set, the device uptime is not limited.

If you set this policy, users cannot change or override it.

An automatic reboot is scheduled at the selected time but may be delayed on the device by up to 24 hours if a user is currently using the device.

Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.

The policy value should be specified in seconds. Values are clamped to be at least 3600 (one hour).

Defines the list of USB devices that are allowed to be detached from their kernel driver in order to be used through the chrome.usb API directly inside a web application. Entries are pairs of USB Vendor Identifier and Product Identifier to identify a specific hardware.

If this policy is not configured, the list of a detachable USB devices is empty.

UserAvatarImage

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserAvatarImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which Google Chrome OS can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.

The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

The policy should be specified as a string that expresses the URL and hash in JSON format, conforming to the following schema:
{
"type": "object",
"properties": {
"url": {
"description": "The URL from which the avatar image can be downloaded.",
"type": "string"
},
"hash": {
"description": "The SHA-256 hash of the avatar image.",
"type": "string"
}
}
}

If this policy is set, Google Chrome OS will download and use the avatar image.

If you set this policy, users cannot change or override it.

If the policy is left not set, the user can choose the avatar image representing them on the login screen.

Configures the directory that Google Chrome will use for storing user data.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because Google Chrome manages its contents.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.

If enabled or not configured (default), the user will be prompted for
video capture access except for URLs configured in the
VideoCaptureAllowedUrls list which will be granted access without prompting.

When this policy is disabled, the user will never be prompted and video
capture only be available to URLs configured in VideoCaptureAllowedUrls.

This policy affects all types of video inputs and not only the built-in camera.

Note for Google Chrome OS devices supporting Android apps:

For Android apps, this policy affects the built-in camera only. When this policy is set to true, the camera is disabled for all Android apps, with no exceptions.

WallpaperImage

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WallpaperImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy allows you to configure the wallpaper image that is shown on the desktop and on the login screen background for the user. The policy is set by specifying the URL from which Google Chrome OS can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication.

The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

The policy should be specified as a string that expresses the URL and hash in JSON format, conforming to the following schema:
{
"type": "object",
"properties": {
"url": {
"description": "The URL from which the wallpaper image can be downloaded.",
"type": "string"
},
"hash": {
"description": "The SHA-256 hash of the wallpaper image.",
"type": "string"
}
}
}

If this policy is set, Google Chrome OS will download and use the wallpaper image.

If you set this policy, users cannot change or override it.

If the policy is left not set, the user can choose an image to be shown on the desktop and on the login screen background.